In today's digital age, a single phishing email can result in millions of dollars in losses for companies worldwide. One of the most prevalent threats is 'vendor email compromise' (where criminals impersonate legitimate vendors to redirect payments) or supplier payment fraud (a sophisticated scam where fraudsters intercept and manipulate vendor-client communications to divert payments to their own accounts). These scams have become increasingly sophisticated, targeting businesses of all sizes across the globe.

This article provides an understanding for securely sharing your banking details with customers, helping you avoid these common fraud scenarios.

Understanding the threat

Consider this common scenario: Two companies, A and B, have a long-standing business relationship. Company A regularly invoices Company B for services. One day, Company B's finance team receives what appears to be a legitimate email from Company A, announcing a change in banking details. Without proper verification, Company B updates the payment information and transfers funds to what turns out to be a fraudulent account - resulting in substantial financial losses.

Common Pattern in These Scams:

• Hackers monitor email exchanges between companies
• They study invoice formats, communication styles, and business relationships
• They often wait for a large pending payment
• They create very similar email domains (like changing "company.com" to "cornpany.com")
• Time their attack just before an expected payment
• Sometimes even follow up with phone calls using spoofed numbers

Real-World Impact

Let's look at two notable cases that demonstrate the severity of this threat:

Toyota Boshoku Corporation  
Year: 2019
Total Losses: $37 million

In a sophisticated attack targeting their European subsidiary, cybercriminals successfully diverted $37 million by posing as a trusted business partner. The attackers posed as one of the subsidiary’s business partners and requested a transfer to a new bank account. They created urgency by claiming delayed payments would disrupt parts production, pressuring the finance team to act quickly. (Read more about this here)

In another similar case at MacEwan University (Edmonton, Alberta)

Year: 2017
Amount lost: $11.8 million CAD

In one of Canada's most notable cases of supplier payment fraud, Edmonton's MacEwan University fell victim to a sophisticated scam in August 2017, losing $11.8 million CAD to cybercriminals. The fraudsters masterfully impersonated a legitimate construction vendor, using meticulously crafted fake domain names and convincing documentation to request banking information changes. The university's staff, believing they were corresponding with their trusted vendor, processed three substantial payments to fraudulent accounts before discovering the deception.

While the university ultimately recovered most funds through swift legal action, this incident served as a watershed moment in Canadian cybersecurity awareness, prompting institutions nationwide to overhaul their payment verification processes.

The case highlighted how even established institutions can fall prey to well-orchestrated business email compromise scams. (Read more about this here)

How to Securely Share New Account Details?

When changing your banking details, clear communication with your customers is crucial. While email and written notices play a role, they're just one part of a comprehensive verification process. The key is implementing a multi-channel approach that protects both you and your customers from sophisticated payment frauds.

Golden Rule: Mandatory verbal verification

Banking changes begin with comprehensive written documentation. An official letter must be submitted on verified company letterhead, containing all essential details. This letter serves as the foundation of the verification process, requiring clear and complete presentation of the new banking information. The documentation must include explicit instructions for updating records, ensuring no room for ambiguity or misinterpretation in the process.

Verbal confirmation stands as the critical second layer of security. All customers are required to initiate contact through previously established phone numbers registered in the system. This strict protocol prohibits the acceptance of any new contact numbers during the verification process, eliminating potential security breaches. Verification must proceed exclusively through established relationship channels, ensuring that all confirmations come from known, trusted sources within the organization.‍

Customer Education

Be proactive in communicating your security procedures. Make it clear through both written and verbal channels that your organization:

• Never accepts urgent banking changes without verification
• Won't provide new phone numbers during the process
• Always requires verbal confirmation
• Has a standard waiting period for all changes

Red Flags to Share

Help your customers protect themselves by watching for:

• Unexpected banking change requests
• High-pressure tactics or artificial urgency
• Slight variations in email domains
• Any request to bypass normal procedures

A sample email of how you can share your bank account details:

Remember: While digital communication drives modern business, verbal verification through established contacts remains your strongest defense against payment fraud.  Any request to bypass normal procedures or use new contact information should raise immediate alarms. When in doubt, take the time to verify through established channels.

A five-minute phone call can prevent million-dollar losses!